On Mon, 30 Oct 2017 15:29:58 +0000 "Ucan, Emre (ADITG/ESB)" <[email protected]> wrote:
> Hi Pekka, > > We are of course running graphical applications as a different user > than weston user. Therefore, the security flaws, which you mentioned, > are not applicable. Yes. That is exactly what I meant that even if you somehow managed to make it safe, it does not make it any more appropriate to give the weston user these permissions directly. > Correct me if I am wrong, but weston-launch and logind are using > setuid(), which itself is a major security problem. Furthermore, IMO > logind is not needed in an embedded system. The fancy tty and input > handling for a multi-user environment is not needed in an embedded > system. They are setuid or equivalent, yes. They have been inteded to be that from the very beginning, so their design should account for it. logind is not just for multi-user, it is also for priviledge separation - exactly the thing you have reinvented yourself with user accounts, except your solution does not generalize, and no-one else uses, develops, or audits it. No-one *could* even use it aside from using your distribution, because it relies on user accounts setup and file permissions rather than any particular piece of software. Recovering from a Weston crash is another example where using an agent is a good thing. Weston does have a SIGABRT/SIGSEGV handler that attempts to restore the VT before raising SIGTRAP for debuggers, but it's obviously not reliable. > I do not understand why you are against this patch. The patch is only > removing an unnecessary restriction of running weston directly. This > patch is not setting any privileged rights to any non-root user :). > Users of weston would still get errors if they do not set the rights > accordingly. This patch is promoting bad practice. Therefore I am against it. > IMO, it is much explanatory to get an error like "Cannot open drm > device" than "weston cannot run as non-root user". That's true. The actual error messages you get when no launcher succeeds are: "fatal: drm backend should be run using weston-launch binary or as root" "fatal: fbdev backend should be run using weston-launch binary or as root" I would be quite happy to improve those error messages to be more helpful. I believe they were written before logind support existed. None of this still changes the fact that launcher-direct has been written for root use only, as a debugging aid. Thanks, pq > > -----Original Message----- > > From: Pekka Paalanen [mailto:[email protected]] > > Sent: Montag, 30. Oktober 2017 16:02 > > To: Ucan, Emre (ADITG/ESB) > > Cc: [email protected] > > Subject: Re: [PATCH weston] launcher: don't exit when user is not > > root > > > > On Mon, 30 Oct 2017 15:20:42 +0100 > > Emre Ucan <[email protected]> wrote: > > > > > weston does not need to be root. > > > It requires adjusting ownership on the given tty device. > > > > > > If weston does not have proper rights, it will get > > > an error at startup anyway. > > > > > > Signed-off-by: Emre Ucan <[email protected]> > > > --- > > > libweston/launcher-direct.c | 3 --- > > > 1 file changed, 3 deletions(-) > > > > > > diff --git a/libweston/launcher-direct.c > > > b/libweston/launcher-direct.c index a5d3ee5..b05d214 100644 > > > --- a/libweston/launcher-direct.c > > > +++ b/libweston/launcher-direct.c > > > @@ -276,9 +276,6 @@ launcher_direct_connect(struct > > > weston_launcher > > **out, struct weston_compositor * > > > { > > > struct launcher_direct *launcher; > > > > > > - if (geteuid() != 0) > > > - return -EINVAL; > > > - > > > launcher = zalloc(sizeof(*launcher)); > > > if (launcher == NULL) > > > return -ENOMEM; > > > > NAK, for the reasons explained in > > https://lists.freedesktop.org/archives/wayland-devel/2017- > > October/035582.html > > > > To summarize, it's not only tty permissions but DRM and input > > devices as well. If you set all these so that weston can actually > > run without root using the direct launcher, then quite likely you > > have opened some security holes. > > > > The direct launcher is specifically meant for running weston as > > root. Running as root is only for debugging and development, never > > for production. > > > > > > Thanks, > > pq
pgpqQONmd3HQi.pgp
Description: OpenPGP digital signature
_______________________________________________ wayland-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/wayland-devel
